When using a “sponge function” to create a cryptographic hash, we can look at the flat sponge claim, which flattens the claimed success probabilities of all attacks using a single parameter: the claimed capacity cclaim

Is there any way to actually verify the probability of that claim - in this case: potential probability of collisions of the “sponge function”-based cryptographic hash - and what would such a proof formula/calculation look like?

@owlstead Maybe next time, you can grab one of my bounties. I tend to frequently drop them. Just today I dumped 50 points to crypto.stackexchange.com/a/4032/6961 for an answer to a 3rd party question. Now I have to regain a bit of reputation before going "bounty" again, but it's just a matter of time until I drop more bounty in the ring. ;)
–
e-sushi♦Jul 22 '13 at 17:52

1

yeah, I do the same thing on stackoverflow, but my crypto rep is too valuable to me...
–
Maarten BodewesJul 22 '13 at 17:54

…it turns out that the probability of the claim can only be "proven" theoretically. In other words: currently, there is no way to actually and/or practically verify the probability of the claim.

The current status quo states that collisions are theoretically proven to be very unlikely in a cryptographic sense. I guess that — as with all cryptographic theories — only time can tell if that actually provides a problem or not.

But getting back to my question: no, it can't actually be verified currently.

I don't expect this to change anytime soon either, as the theoretical proof that collisions are very unlikely in a cryptographic sense, seems to be strong enough to regard sponge functions as (let's just call it) "secure". In fact, if you check the linked documents, you will find ample information on how to replicate the theoretical proofs in relation to collision probabilities using sponge functions under a multitude of conditions. As far as I checked, cross-checked, and even practically used those formulas to verify things myself, I got convinced that collisions are indeed very (very) unlikely.

I hope you don't mind that I'm sparing you a copy-and-paste job of more than a dozen of pages full of math code. Those who want to dive in deeper, can fetch the multitude of related formulas and a truckload of additional, interesting information from the linked documents I listed above.